ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

Request to Add Expression Language Injection Vulnerability (e.g., SpEL inection)

Open ImanSharaf opened this issue 2 years ago • 2 comments

I'd like to propose the addition of Expression Language (EL) Injection to the ASVS standards, given its relevance and increasing occurrences in modern applications.

Expression Language (EL) Injection is a type of injection attack where an attacker can inject arbitrary code into an application's EL engine, potentially leading to remote code execution, information disclosure, or other malicious activities. Several frameworks use expression languages to bind data between views and back-end services. When not properly validated or sanitized, these bindings can become attack vectors.

Spring Expression Language (SpEL) Injection Spring Framework, popular in the Java ecosystem, uses its Expression Language called Spring Expression Language (SpEL). An application using SpEL is vulnerable if it directly evaluates expressions from untrusted sources.

Considering the potential risks and the popularity of frameworks using expression languages, I believe it would be valuable to incorporate this vulnerability into the ASVS standards. This would provide guidance for organizations to ensure their applications are safeguarded against such attacks.

ImanSharaf avatar Sep 25 '23 21:09 ImanSharaf

The question is, is it widespread enough to have special spotlight as separate requirement or it can be covered in some more abstract requirement.

https://github.com/OWASP/ASVS/issues/1589 - after spliting up current 5.3.1, we will have quite many requirement for injection, sanitization, encoding and execution. If we add separate requirement for each technology or framework, maybe it's too much.

elarlang avatar Sep 26 '23 06:09 elarlang

I am going to drop this into V5 rework bucket because I think we need to consider all these issues together

tghosth avatar Sep 27 '23 10:09 tghosth

I propose adding this to 5.2.8:

# Description L1 L2 L3 CWE
5.2.8 [MODIFIED] Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, Spring Expression Lanugage (SpEL), or similar. 94

Any objections @ImanSharaf ?

tghosth avatar Aug 12 '24 11:08 tghosth

If we want to do this, then we should merge other items such as SSTI with this one too?

ImanSharaf avatar Aug 29 '24 18:08 ImanSharaf

sanitizing SpEL looks like a very bad idea doomed to failure :smile:

I am not sure SpeL injection should be mentioned here but more alongside shell command injection, JavaScript/PHP/Python eval(), SQL, JPQL/HPQL and so on.

randomstuff avatar Aug 30 '24 06:08 randomstuff

@randomstuff do you have a suggested requirement to include it in? What is your suggested mitigation?

tghosth avatar Sep 02 '24 17:09 tghosth

Having read here I agree it sounds more like eval/dynamic code execution: https://0xn3va.gitbook.io/cheat-sheets/framework/spring/spel-injection

tghosth avatar Sep 18 '24 06:09 tghosth

Opened #2091

tghosth avatar Sep 18 '24 06:09 tghosth